Skip to content

add safe eval for browser and eval option #185

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 14 commits into from
May 5, 2024
Merged

add safe eval for browser and eval option #185

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
f34e162
add safe eval for browser and `evalType` option
80avin Dec 23, 2022
289afd8
add assignment support in evalType="safe"
80avin Dec 28, 2022
3f59301
add tests, types & readme
80avin Dec 28, 2022
e988112
remove eslint-parser and unnecessary changes
80avin Dec 29, 2022
0230a87
Merge branch 'main' of github.com:80avin/JSONPath into safe-eval
80avin Aug 4, 2023
ebfe01a
add tests and remove preventEval, evalType in favour of eval
80avin Aug 5, 2023
de0566a
update jsonpath.d.ts
80avin Aug 6, 2023
1f9c7a3
Merge branch 'main' of github.com:80avin/JSONPath into safe-eval
80avin May 3, 2024
a224458
add option ignoreEvalErrors
80avin May 3, 2024
b19b9c4
complete test coverage & refactoring; set default value of ignoreEval…
80avin May 4, 2024
d34dcce
revert babel rename
80avin May 4, 2024
9dcf489
fix linting and typescript script (part of test script)
brettz9 May 4, 2024
983594b
rename ignoreEvalError to ignoreEvalErrors
80avin May 5, 2024
cda7567
refactor: linting
brettz9 May 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
update jsonpath.d.ts
  • Loading branch information
@80avin
80avin committed Aug 6, 2023
commit de0566aee8abf14b7f0f57e2711dbea06cf997fa
8 changes: 5 additions & 3 deletions dist/index-browser-esm.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1720,6 +1720,7 @@ var plugin = {
}
};

/* eslint-disable jsdoc/valid-types */
var hasOwnProp = Object.prototype.hasOwnProperty;
/**
* @typedef {null|boolean|number|string|PlainObject|GenericArray} JSONObject
Expand Down Expand Up @@ -1825,9 +1826,10 @@ var NewError = /*#__PURE__*/function (_Error) {
* @param {ContextItem} context
* @returns {EvaluatedResult}
*/
// /**
// * @typedef {@typeof import('./jsonpath-browser').SafeScript} EvalClass
// */

/**
* @typedef {@typeof import('./jsonpath-browser').SafeScript} EvalClass
*/

/* eslint-disable max-len -- Can make multiline type after https://github.com/syavorsky/comment-parser/issues/109 */

Expand Down
2 changes: 1 addition & 1 deletion dist/index-browser-esm.min.js.map
View file
Open in desktop

Large diffs are not rendered by default.

8 changes: 5 additions & 3 deletions dist/index-browser-umd.cjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1726,6 +1726,7 @@
}
};

/* eslint-disable jsdoc/valid-types */
var hasOwnProp = Object.prototype.hasOwnProperty;
/**
* @typedef {null|boolean|number|string|PlainObject|GenericArray} JSONObject
Expand Down Expand Up @@ -1831,9 +1832,10 @@
* @param {ContextItem} context
* @returns {EvaluatedResult}
*/
// /**
// * @typedef {@typeof import('./jsonpath-browser').SafeScript} EvalClass
// */

/**
* @typedef {@typeof import('./jsonpath-browser').SafeScript} EvalClass
*/

/* eslint-disable max-len -- Can make multiline type after https://github.com/syavorsky/comment-parser/issues/109 */

Expand Down
2 changes: 1 addition & 1 deletion dist/index-browser-umd.min.cjs.map
View file
Open in desktop

Large diffs are not rendered by default.

8 changes: 5 additions & 3 deletions dist/index-node-cjs.cjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'defau

var vm__default = /*#__PURE__*/_interopDefaultLegacy(vm);

/* eslint-disable jsdoc/valid-types */
const {
hasOwnProperty: hasOwnProp
} = Object.prototype;
Expand Down Expand Up @@ -105,9 +106,10 @@ class NewError extends Error {
* @param {ContextItem} context
* @returns {EvaluatedResult}
*/
// /**
// * @typedef {@typeof import('./jsonpath-browser').SafeScript} EvalClass
// */

/**
* @typedef {@typeof import('./jsonpath-browser').SafeScript} EvalClass
*/

/* eslint-disable max-len -- Can make multiline type after https://github.com/syavorsky/comment-parser/issues/109 */

Expand Down
8 changes: 5 additions & 3 deletions dist/index-node-esm.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import vm from 'vm';

/* eslint-disable jsdoc/valid-types */
const {
hasOwnProperty: hasOwnProp
} = Object.prototype;
Expand Down Expand Up @@ -97,9 +98,10 @@ class NewError extends Error {
* @param {ContextItem} context
* @returns {EvaluatedResult}
*/
// /**
// * @typedef {@typeof import('./jsonpath-browser').SafeScript} EvalClass
// */

/**
* @typedef {@typeof import('./jsonpath-browser').SafeScript} EvalClass
*/

/* eslint-disable max-len -- Can make multiline type after https://github.com/syavorsky/comment-parser/issues/109 */

Expand Down
41 changes: 24 additions & 17 deletions src/jsonpath.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@ declare module 'jsonpath-plus' {

type JSONPathOtherTypeCallback = (...args: any[]) => void

class EvalClass {
constructor(code: string);
runInNewContext(context: object): any;
}

interface JSONPathOptions {
/**
* The JSONPath expression as a (normalized or unnormalized) string or
Expand Down Expand Up @@ -72,27 +77,29 @@ declare module 'jsonpath-plus' {
* @default true
*/
wrap?: true | boolean
/**
* Although JavaScript evaluation expressions are allowed by default,
* for security reasons (if one is operating on untrusted user input,
* for example), one may wish to set this option to true to throw
* exceptions when these expressions are attempted.
*
* @default false
*/
preventEval?: false | boolean
/**
* Script evaluation method.
*
* `safe`: In browser, it will use a minimal scripting engine which doesn't use `eval` or `Function` and satisfies Content Security Policy. In NodeJS, it has no effect and is equivalent to native as scripting is safe there.
*
* `native`: uses the native scripting capabilities. i.e. unsafe `eval` or `Function` in browser and `vm.Script` in nodejs.
*
* `none`: Disabled scripting. This is equivalent to `preventEval: true`
*
*
* `safe`: In browser, it will use a minimal scripting engine which doesn't
* use `eval` or `Function` and satisfies Content Security Policy. In NodeJS,
* it has no effect and is equivalent to native as scripting is safe there.
*
* `native`: uses the native scripting capabilities. i.e. unsafe `eval` or
* `Function` in browser and `vm.Script` in nodejs.
*
* `true`: Same as 'safe'
*
* `false`: Disable Javascript executions in path string. Same as `preventEval: true` in previous versions.
*
* `callback [ (code, context) => value]`: A custom implementation which is called
* with `code` and `context` as arguments to return the evaluated value.
*
* `class`: A class similar to nodejs vm.Script. It will be created with `code` as constructor argument and the code
* is evaluated by calling `runInNewContext` with `context`.
*
* @default 'safe'
*/
evalType?: 'safe' | 'native' | 'none'
eval?: 'safe' | 'native' | boolean | ((code: string, context: object) => any) | typeof EvalClass
/**
* In the event that a query could be made to return the root node,
* this allows the parent of that root node to be returned within results.
Expand Down